Auth0 Home Blog Docs

I cant find a way to refresh idToken with refreshToken while having OIDC disabled



Hi there, I am using Auth0 with facebook (in an iOS app) to authenticate users in, and to do so, I need to have HS256 encoding turned on with OIDC off. My problem is, the I cant get new idToken, while i do Auth0.authentication().renew or Auth0.authentication().tokenExchange. All i can find in credentials is accessToken. Can anybody help me? Thanks!


There’s a lot in play here that adds friction to the overall flow. From one side, the latest and recommended flows in Auth0 enforce certain security requirements like the usage of RS256 for ID tokens issued to public clients. On the other side, the integration only supports HS256 tokens. On top of that you could argue that although ID tokens should be sent to as part of an authentication procedure that could lead to a signup of the user, then subsequent API call should use access tokens instead of ID tokens.

Due to the above you disabled OIDC which means you signal the intention to use the legacy flows (not recommended), but then are calling renew and tokenExchange which call into /oauth/token endpoint that does not have full interoperability with the legacy flows. This explain why the refresh token obtained through legacy flows does not really get you the expected response when you try to use it against that endpoint.

You could consider using the legacy approach to refresh tokens through the delegation endpoint (if available to your tenant) which may answer your needs, however, this would not be recommended. If I were you I would also go through this GH issue on the side of thing which was asking for support for RS256 and where there’s a few alternatives described around RS256 tokens and Schema Extensions.


Thank you for your answer. If I will encounter any further problems I will let you know.


Thank you for your answer. If I will encounter any further problems I will let you know.